Skip to content
Snippets Groups Projects
Commit b312ec6e authored by Florian Sesser's avatar Florian Sesser
Browse files

Update key generation documentation and add script to rotate all VPN keys

parent f00df5cb
Branches
No related tags found
3 merge requests!108Merge staging into production,!107Merge develop into staging,!91Integrate monitoring into production
Pipeline #721 passed
Stage: build
Stage: test
Hide whitespace changes
Inline Side-by-side
docs/source/ops/generating-keys.rst
+ 42
13
View file @ b312ec6e
Generating keys
===============
``config.json`` has the paths for the Ristretto and the Stripe secret key files.
There's an example ``secrets`` repo in ``morph/grid/local/secrets``.
``<grid>/config.json`` has the paths for the key files for the respective grid.
Create a symlink named ``secrets`` to your secret key repository for the deployment you are working on.
Stripe
``````
For the Stripe key any random bytes with a little light formatting "work" - at least to make our software happy - but if you want to be able to interact with Stripe and have payments (even pretend payments) move all the way through the system you should get a Stripe account and generate a key w/ them.
Lauri can get you added to our "dev" Stripe account, too, though I forget how important that is for ad hoc dev/testing.
I think this will work for generating random Stripe secret keys (that our software will load, I think, but Stripe will reject)::
>>> import base64, os
>>> print((b"sk_test_" + base64.b64encode(os.urandom(25)).strip(b"=")).decode("ascii"))
sk_test_Dr+XLVjkC0oO3Zw8Ws0yWtDLqR1sM+/fmw
Public keys are the same but "pk_test" instead of "sk_test" ("test" is for "test mode" key that can only process pretend txns; for real txns there are keys with "live" embedded).
ZKAP-Issuer Ristretto
`````````````````````
Here is a Ristretto key you can use, randomly generated just now::
......@@ -19,16 +40,9 @@ For example::
echo -n "SILOWzbnkBjxC1hGde9d5Q3Ir/4yLosCLEnEQGAxEQE=" > ristretto.signing-key
For the Stripe key any random bytes with a little light formatting "work" - at least to make our software happy - but if you want to be able to interact with Stripe and have payments (even pretend payments) move all the way through the system you should get a Stripe account and generate a key w/ them.
Lauri can get you added to our "dev" Stripe account, too, though I forget how important that is for ad hoc dev/testing.
I think this will work for generating random Stripe secret keys (that our software will load, I think, but Stripe will reject)::
>>> import base64, os
>>> print((b"sk_test_" + base64.b64encode(os.urandom(25)).strip(b"=")).decode("ascii"))
sk_test_Dr+XLVjkC0oO3Zw8Ws0yWtDLqR1sM+/fmw
Public keys are the same but "pk_test" instead of "sk_test" ("test" is for "test mode" key that can only process pretend txns; for real txns there are keys with "live" embedded).
ZKAP-Issuer TLS
```````````````
The ZKAPIssuer.service needs a working TLS certificate and expects it in the certbot directory for the domain you configured, in my case::
......@@ -37,12 +51,27 @@ The ZKAPIssuer.service needs a working TLS certificate and expects it in the cer
Move the three .pem files into the payment's server ``/var/lib/letsencrypt/live/payments.localdev/`` directory and issue a ``sudo systemctl restart zkapissuer.service``.
Create Wireguard VPN key pairs in ``PrivateStorageSecrets/monitoringvpn/`` or where you have them::
for i in "172.23.23.11" "172.23.23.12" "172.23.23.13" "server"; do
wg genkey | tee ${i}.key | wg pubkey > ${i}.pub
Monitoring VPN
``````````````
Create Wireguard VPN key pairs in ``secrets/monitoringvpn/`` or where you have them.
``tools/create-vpn-keys.sh`` holds a script to rotate all VPN keys at once::
cd secrets/monitoringvpn
../../../tools/create-vpn-keys.sh morph/grid/testing/grid.nix
../../../../../tools/create-vpn-keys.sh
Or do it manually::
for i in 1 11 12 13 ; do
wg genkey | tee 172.23.23.${i}.key | wg pubkey > 172.23.23.${i}.pub
done
ln -s 172.23.23.1.key server.key
ln -s 172.23.23.1.pub server.pub
And a shared VPN key for "post-quantum resistance"::
wg genpsk > preshared.key
......
tools/create-vpn-keys.sh 0 → 100755
+ 31
0
View file @ b312ec6e
#!/usr/bin/env bash
# Scope: Create wireguard keys for all monitoringVPN hosts
# Parameters:
# file: path to grid.nix of morph deployment
# Output: Key files for all monitoring VPN hosts _in_the_current_directory_
# Convention: the IP ending in ".1" will be symlinked to server.{key,pub}
set -euo pipefail
umask 077
if [[ $# -ne 1 ]]; then
echo "Illegal number of parameters. Expected: file (path of grid.nix)"
exit 2
fi
MONITORING_IPS=$(fgrep monitoringvpnIPv4 ${1} | egrep -o "[0-9\.]{7,15}")
VPNSERVER_IP=$(fgrep monitoringvpnIPv4 ${1} | egrep -o -m1 "[0-9\.]{5,13}\.1")
for i in $MONITORING_IPS; do
wg genkey | tee ${i}.key | wg pubkey > ${i}.pub
done
ln -fs $VPNSERVER_IP.key server.key
ln -fs $VPNSERVER_IP.pub server.pub
wg genpsk > preshared.key
# EOF
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment